b"W                                                                   December 17, 1998\n\n\n\nTO:            AO/Chief Information Officer\n\nFROM:          W/Assistant Inspector General for Auditing\n\nSUBJECT:       Final Report on Year 2000 Program Oversight\n               of NASA\xe2\x80\x99s Production Contractors\n               Assignment Number A-HA-98-044\n               Report No. IG-99-004\n\n\nThe subject final report is provided for your use. Please refer to the Results in Brief section for\nthe overall audit results. Your comments on a draft of this report were responsive to our\nrecommendations. Our evaluation of your responses has been incorporated into the body of the\nreport, and an additional audit response is in Appendix C. The report\xe2\x80\x99s two recommendations\nwill remain open for reporting purposes pending implementation of planned and ongoing\ncorrective actions.\n\nIf you have questions concerning the report, please contact Mr. David L. Gandrud, Program\nDirector, Information Technology Program Audits, at (650) 604-2672, or Mr. Roger W. Flann,\nProgram Manager, at (818) 354-9755. We appreciate the courtesies extended to the audit staff.\nThe report distribution is in Appendix D.\n\n\n[original signed by]\nRussell A. Rau\n\nEnclosure\n\ncc:\nB/Chief Financial Officer\nG/General Counsel\nJM/Director, Management Assessment Division\n\x0cbcc:\nAIGA, IG, Reading (w/o Encl.) Chrons\nARC/204-11/D. Gandrud\nJPL/180-300/R. Flann\n\x0c                                                        IG-99-004\n\n\n\nAUDIT\nREPORT                        YEAR 2000 PROGRAM OVERSIGHT\n                           OF NASA\xe2\x80\x99S PRODUCTION CONTRACTORS\n\n\n                                    DECEMBER 17, 1998\n\n\n\n\n                              OFFICE OF INSPECTOR GENERAL\n\n\nNational Aeronautics and\nSpace Administration\n\x0cADDITIONAL COPIES\n\nTo obtain additional copies of this audit report, contact the Assistant Inspector General for\nAuditing at 202-358-1232.\n\nSUGGESTIONS FOR FUTURE AUDITS\n\nTo suggest ideas for or to request future audits, contact the Assistant Inspector General for\nAuditing. Ideas and requests can also be mailed to:\n\n               Assistant Inspector General for Auditing\n               NASA Headquarters\n               Code W\n               300 E Street SW\n               Washington, DC 20546\n\n\nNASA HOTLINE\n\nTo report fraud, waste, abuse, or mismanagement, contact the NASA OIG Hotline by calling\n1-800-424-9183, 1-800-535-8134 (TDD), or by writing the NASA Inspector General, P.O. Box\n23089, L\xe2\x80\x99Enfant Plaza Station, Washington, DC 20026. The identity of each writer and caller can\nbe kept confidential, upon request, to the extent permitted by law.\n\n\n\n\nACRONYMS\n\nCIO            Chief Information Officer\nDCAA           Defense Contract Audit Agency\nDCMC           Defense Contract Management Command\nDoD            Department of Defense\nFAC            Federal Acquisition Circular\nFAR            Federal Acquisition Regulation\nOMB            Office of Management and Budget\nPIC            Procurement Information Circular\nY2K            Year 2000\n\x0c                     NASA OFFICE OF INSPECTOR GENERAL\nIG-99-004                                                                          DECEMBER 17, 1998\n A-HA-98-044\n\n\n                       YEAR 2000 PROGRAM OVERSIGHT\n                    OF NASA\xe2\x80\x99S PRODUCTION CONTRACTORS\n\n\nIntroduction\n\nThe NASA Office of Inspector General is performing a review of the Year 2000 (Y2K) Program\nat five NASA Centers1 and the Jet Propulsion Laboratory. Our objectives were to (1) evaluate\nthe adequacy of NASA\xe2\x80\x99s efforts to renovate and validate systems with Y2K date problems,\n(2) evaluate the adequacy of NASA\xe2\x80\x99s oversight of contractor renovation and validation activities,\nand (3) determine whether NASA\xe2\x80\x99s Y2K reporting to the Office of Management and Budget\n(OMB) is accurate and well-supported. During the review, we identified an issue regarding the\nadequacy of NASA\xe2\x80\x99s oversight of its production contractors\xe2\x80\x992 efforts toward achieving Y2K\ncompliance. Details on our scope and methodology are in Appendix A.\n\nResults in Brief\n\nNASA lacks reasonable assurance that its production contractors will provide Y2K-compliant\ndata to support the Agency\xe2\x80\x99s key financial and program management activities. Without\nreasonable assurance that contractor systems are Y2K compliant, NASA risks receiving,\nprocessing, and placing reliance on erroneous data that could adversely affect Agency operations.\n\nBackground\n\nThe Y2K problem affects computer systems worldwide. Software application programs that use\na standard two-digit format (mm/dd/yy) to generate a date may not work properly after the year\n2000. Systems that will continue to function properly are designated \xe2\x80\x9cY2K compliant.\xe2\x80\x9d Systems\nthat are not \xe2\x80\x9cY2K compliant\xe2\x80\x9d are at risk of failure and may cause other systems to fail. Y2K\ncompliance is defined in NASA\xe2\x80\x99s Year 2000 Test and Certification Guidelines and Requirements\nas information technology that:\n\n        . . . accurately processes date/time data (including, but not limited to, calculating,\n        comparing, and sequencing) from, into, and between the twentieth and twenty-first centuries,\n        and the years 1999 and 2000 and leap year calculations, to the extent that other information\n        technology, used in combination with the information technology being acquired, properly\n        exchanged date/time data with it.\n\n1\n  Goddard Space Flight Center, Lyndon B. Johnson Space Center, John F. Kennedy Space Center, Lewis\nResearch Center, and George C. Marshall Space Flight Center.\n2\n  Contractors who provide goods to NASA and submit required reporting on contractor-owned and -operated\ninformation technology systems.\n\x0cThe Y2K problem is especially relevant to NASA\xe2\x80\x99s relationship with its contractors. NASA\ncontracts out about 90 percent of its total budget and, therefore, relies heavily on contractor\nreporting for its key financial and program management information. In this regard, NASA\nhas taken steps to work with its contractors and business partners on the Y2K problem.\nThese steps have included sending more than 3,000 letters, signed by the NASA\nAdministrator, to every business and institution that works with NASA. The letters state the\nimportance of NASA\xe2\x80\x99s Y2K program, request assurance that the organization has a Y2K plan\nof action, and ask for a point of contact. In addition, NASA has established Y2K outreach\nefforts with the Aerospace Industry Association.\n\nIn addition to the above actions, the Office of Procurement has issued two Y2K-related\nProcurement Information Circulars (PICs) (PICs 98-8 and 98-9, each dated May 21, 1998). The\nPICs require contracting officers to include Y2K-compliance clauses in Y2K-affected solicitations\nand contracts for NASA information technology. The clauses require the contractor to meet Y2K\nrequirements within established milestones.\n\nNASA largely depends on Department of Defense (DoD) organizations to perform the contract\nadministration and audit functions at NASA\xe2\x80\x99s contractor locations. The principal DoD\norganizations providing those services are the Defense Contract Audit Agency (DCAA) and the\nDefense Contract Management Command (DCMC). NASA\xe2\x80\x99s Office of Procurement may request\nservices from each of those organizations. An agreement signed in 1969 delineates the contract\nadministration and contract audit services that DoD will provide to NASA. Under this\nagreement, the DCAA performs audits of contractor operations including financial management\nsystems and the DCMC performs contract administration responsibilities including administration\nof property, industrial facilities, production, and quality assurance.\n\nContractor Reporting\n\nFinding. NASA lacks reasonable assurance that its production contractors will provide Y2K-\ncompliant data to support the Agency\xe2\x80\x99s key financial and program management activities. This\ncondition occurred because the Office of Procurement has not asked the DCAA or DCMC to\nconduct Y2K reviews at NASA\xe2\x80\x99s major contractor locations. As a result, NASA risks using\nnoncompliant data that may adversely affect the Agency\xe2\x80\x99s control, budgeting, program\nmanagement, and cost accounting activities.\n\nNASA requires its contractors to submit key financial and program information. For example,\nNASA Policy Directive 9501, \xe2\x80\x9cNASA Contractor Financial Management Reporting System,\xe2\x80\x9d\nApril 23, 1996, requires contractors to report cost, schedule, and performance data. NASA\nFederal Acquisition Regulation (FAR) Supplement 1845, \xe2\x80\x9cManagement of Government\n\n\n\n\n                                               2\n\x0cProperty in the Possession of Contractors,\xe2\x80\x9d requires contractors to report any Agency\nproperty in their possession. Information submitted in response to these reporting\nrequirements3 is critical to NASA\xe2\x80\x99s financial and programmatic activities.\n\nDCAA and DCMC Headquarters officials told us they had no overall plan to verify Y2K\ncompliance at NASA contractor locations. At the time of our review, the DCAA and DCMC\nwere developing guidance for performing Y2K work but had been unable to reach agreement on\nthe contents of the guidance. To determine whether other Y2K work may have been in process at\nNASA contractor locations, we contacted DCAA representatives at the Jet Propulsion\nLaboratory; Boeing Rocketdyne Division; and Cordant Technologies, Inc. (Thiokol Propulsion\nGroup). The representatives confirmed that the DCAA had no plans to verify Y2K compliance at\ntheir locations. Further, NASA had no plans to determine the status of Y2K compliance efforts\nby NASA\xe2\x80\x99s production contractors.\n\nSubsequent to completion of our initial field work, on September 14, 1998, DCAA Headquarters\nissued guidance to its regional offices regarding the need to consider Y2K issues in DCAA audits.\nThe guidance discusses audit responsibilities related to inquiries about contractor Y2K\nremediation efforts, internal control risk assessment consideration of Y2K issues, and cost and\ngoing concern4 issues. However, the guidance did not specify a timetable for providing Y2K\naudit coverage at major or nonmajor locations. These audit activities should be consistent with\nNASA\xe2\x80\x99s overall Y2K goals and milestones for ensuring Y2K compliance and should place\nmaximum reliance on assessments performed to fulfill other needs such as those initiated by the\nSecurities and Exchange Commission for quarterly and annual reporting by registrants.\n\nAs a customer of DCAA and DCMC services, NASA needs to specify the extent of coverage and\nmilestones for examination of contractor Y2K compliance. At a minimum, the Agency should\nseek reasonable assurance that major contractors are examined and that the nature and extent of\ntheir Y2K compliance is determined. NASA should also require that Y2K compliance problems\nidentified in these examinations be monitored through completion of corrective action.\n\nRecommendations for Corrective Action\n\nRecommendation 1. The NASA Associate Administrator for Procurement, in coordination with\nthe NASA Chief Information Officer, should request the DCAA and DCMC to: assess Y2K\ncompliance at major NASA contractor locations, with emphasis on systems that provide critical\nmanagement information to NASA; and track corrective action on identified deficiencies.\n\n\n3\n  Specific reporting requirements are in NASA Form 533, \xe2\x80\x9cNASA Contractors Financial Management\nReports,\xe2\x80\x9d and Form 1018, \xe2\x80\x9cReport of Government-owned/Contractor-held Property.\xe2\x80\x9d NASA Form 533\nidentifies basic financial management information on contract cost, schedule, and performance, and represents\nthe basis for NASA\xe2\x80\x99s largest financial statement liability account (Accounts Payable). NASA Form 1018\nidentifies various types of property, including land, buildings and structures, material, plant equipment, space\nhardware, special tooling, and special test equipment. These assets represent the single largest asset account\n(part of the Property, Plant and Equipment account) listed in the Agency\xe2\x80\x99s financial statements.\n4\n  The ability of an entity to continue to exist.\n\n\n                                                       3\n\x0cRecommendation 2. The NASA Associate Administrator for Procurement, in cooperation with\nthe NASA Chief Information Officer, should establish milestones for DCAA and DCMC progress\nin reviewing contractor Y2K compliance.\n\nManagement\xe2\x80\x99s Response\n\nConcur with intent. After submitting a response dated November 2, 1998, the Chief Information\nOfficer (CIO) submitted additional comments dated November 19, 1998 (see Appendix B), that\nstated \xe2\x80\x9cWe are taking steps that we believe concur with the intent of the recommendations, that\nis, to seek reasonable assurance that major contractors are examined and that the nature and\nextent of their Y2K compliance is determined.\xe2\x80\x9d Specifically, NASA will issue a letter to DCAA\nrequesting the dates DCAA plans to perform Y2K assessments at each of NASA\xe2\x80\x99s major\ncontractors. Based on the DCAA response, NASA management will determine whether further\naction is necessary. Also, NASA will issue a letter to its Center Procurement Officers\ncommunicating the DCAA Y2K guidance and the DCAA response to NASA\xe2\x80\x99s letter on major\ncontractor coverage. The letter will remind the Procurement Officers of their responsibilities for\nmonitoring Y2K problems identified by DCAA.\n\nManagement also provided general comments on the report that we address in Appendix C.\n\nEvaluation of Management\xe2\x80\x99s Response\n\nWe consider management\xe2\x80\x99s planned actions responsive to the recommendations. The actions\nshould enable NASA to achieve visibility of its contractors\xe2\x80\x99 Y2K status and determine whether\nfurther DCAA direction is necessary. While NASA did not specifically task DCMC to track Y2K\nefforts of NASA contractors, the NASA letter to the DCAA dated November 6, 1998, adequately\naddressed the DCMC role regarding Y2K assessments of Government-owned/Contractor-held\nproperty.\n\n\n\n\n                                               4\n\x0c                                                                                       APPENDIX A\n\n\nSCOPE AND METHODOLOGY\nWe conducted the audit in accordance with generally accepted government auditing standards.\nWe performed the audit field work for this report from July 15, through September 11, 1998.\nWe examined and tested applicable records and documentation (dated from May 1969 through\nAugust 1998),5 to identify applicable management controls and to verify that the controls were\nworking as described. Specifically, we:\n\n    \xe2\x80\xa2   Reviewed contract support agreements between NASA and the DoD, NASA\xe2\x80\x99s\n        Y2K documented communications with its contractors, NASA\xe2\x80\x99s financial\n        statements, applicable NASA policy directives, NASA procedures and guidance,\n        and applicable sections of the NASA FAR Supplement.\n\n    \xe2\x80\xa2   Interviewed Y2K Headquarters representatives at the DCAA, the DCMC, and the\n        NASA Office of Procurement.\n\n    \xe2\x80\xa2   Interviewed DCAA office managers at the Jet Propulsion Laboratory; Boeing\n        Rocketdyne Division; and Cordant Technologies, Inc. (Thiokol Propulsion Group)\n        to determine the extent of the DCAA Y2K audit work performed or planned at\n        those locations.\n\n\n\n\n5\n  Agreements between NASA and DoD for performance of contract administration and contract audit services\nin support of NASA contracts, dated 1969 and 1992; NASA Policy Directive 9501.1F, \xe2\x80\x9cNASA Contractor\nFinancial Management Reporting System,\xe2\x80\x9d April 23, 1996; NASA Procedures and Guidance 9501.2C,\n\xe2\x80\x9cProcedures for Contractor Reporting of Correlated Cost,\xe2\x80\x9d April 23, 1996; FAR Part 45, \xe2\x80\x9cGovernment\nProperty\xe2\x80\x9d; NASA FAR Supplement, Subpart 1845, \xe2\x80\x9cManagement of Government Property in the Possession\nof Contractors.\xe2\x80\x9d\n\n\n\n\n                                                   5\n\x0c                            APPENDIX B\n\n\nMANAGEMENT'S RESPONSE\n\n\n\n\n                        6\n\x0c    APPENDIX B\n\n\n\n\n7\n\x0c    APPENDIX B\n\n\n\n\n8\n\x0c    APPENDIX B\n\n\n\n\n9\n\x0c     APPENDIX B\n\n\n\n\n10\n\x0c     APPENDIX B\n\n\n\n\n11\n\x0c     APPENDIX B\n\n\n\n\n12\n\x0c     APPENDIX B\n\n\n\n\n13\n\x0c     APPENDIX B\n\n\n\n\n14\n\x0c     APPENDIX B\n\n\n\n\n15\n\x0c     APPENDIX B\n\n\n\n\n16\n\x0c     APPENDIX B\n\n\n\n\n17\n\x0c                                                                             APPENDIX C\n\n\nMANAGEMENT\xe2\x80\x99S GENERAL COMMENTS AND AUDIT RESPONSES\nThe CIO provided the following general comments on the draft report.\n\nManagement\xe2\x80\x99s Comments\n\nAlthough the CIO concurred with the intent of the report\xe2\x80\x99s recommendation \xe2\x80\x9cto seek\nreasonable assurance that major contractors are examined and that the nature and extent of\ntheir Y2K compliance is determined,\xe2\x80\x9d the CIO did not concur with the finding that NASA\nlacks reasonable assurance that its production contractors are Y2K-compliant. The CIO\nstated that the report failed to show why the DCAA and the DCMC should perform\nspecific-purpose Y2K audits at major NASA contractors, given the contractors\xe2\x80\x99 existing level\nof Y2K oversight. The CIO cited examples of existing Y2K oversight including the Security\nand Exchange Commission\xe2\x80\x99s disclosure requirements, audit reviews by certified public\naccountants, corporate in-house Y2K audits, and NASA\xe2\x80\x99s outreach work with the aerospace\nand aeronautics industry groups.\n\nAudit Response\n\nWe agree that Y2K oversight may exist at NASA\xe2\x80\x99s production contractors; however, we\nfound no evidence that NASA was assessing the adequacy of its contractors\xe2\x80\x99 Y2K activities.\nAlso, we found no evidence that either the DCAA or the DCMC was assessing the\ncontractors\xe2\x80\x99 Y2K activities. Accordingly, we concluded that NASA lacked reasonable\nassurance that its contractors were or would be Y2K-compliant. We believe NASA can better\nassess the adequacy of its contractors\xe2\x80\x99 Y2K activities after the DCAA has implemented its\nguidance for assessing contractors\xe2\x80\x99 Y2K status and has responded to NASA\xe2\x80\x99s letter\nrequesting data on Y2K coverage. If NASA finds the DoD audit or contract Y2K coverage\ninadequate, then NASA can take appropriate action to address the deficiencies.\n\n\n\n\n                                             18\n\x0c                                                                             APPENDIX D\n\n\nREPORT DISTRIBUTION\n\nNASA Headquarters\n\nCode AO/Chief Information Officer\nCode B/Chief Financial Officer\nCode B/Comptroller\nCode G/General Counsel\nCode H/Acting Associate Administrator for Procurement\nCode J/Associate Administrator for Management Systems and Facilities\nCode JM/Director, Management Assessment Division\nCode L/Associate Administrator for Legislative Affairs\nCode M/Associate Administrator for Space Flight\nCode R/Associate Administrator for Aero-Space Technology\nCode R/Chief Information Officer Representative\nCode S/Associate Administrator for Space Science\nCode W/Assistant Inspector General for Inspections, Administrative Investigations,\n and Assessments\nCode Y/Associate Administrator for Earth Science\n\nNASA Offices of Inspector General\n\nAmes Research Center\nGoddard Space Flight Center\nJet Propulsion Laboratory\nLyndon B. Johnson Space Center\nJohn F. Kennedy Space Center\nLangley Research Center\nLewis Research Center\nGeorge C. Marshall Space Flight Center\nJohn C. Stennis Space Center\n\n\n\n\n                                             19\n\x0c                                                                             APPENDIX D\n\n\nNon-NASA Federal Organizations and Individuals\n\nAssistant to the President for Science and Technology Policy\nAssistant to the President and Chair, President's Council on Y2K Conversion\nDeputy Director of Management, Office of Management and Budget\nDeputy Associate Director, Energy and Science Division, Office of Management\n and Budget\nBudget Examiner, Energy Science Division, Office of Management and Budget\nAssociate Director, National Security and International Affairs Division,\n General Accounting Office\nSpecial Counsel, House Subcommittee on National Security, International Affairs,\n and Criminal Justice\nProfessional Assistant, Senate Subcommittee on Science, Technology, and Space\nAssistant Inspector General for Auditing, Department of Defense\nDirector, Defense Contract Audit Agency\n\nChairman and Ranking Minority Member -- Congressional Committees and\nSubcommittees\n\nSenate Committee on Appropriations\nSenate Subcommittee on VA, HUD, and Independent Agencies\nSenate Committee on Commerce, Science, and Transportation\nSenate Subcommittee on Science, Technology, and Space\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on VA, HUD, and Independent Agencies\nHouse Committee on Government Reform and Oversight\nHouse Committee on Science\nHouse Subcommittee on Space and Aeronautics\n\nCongressional Member\n\nThe Honorable Pete Sessions, U.S. House of Representatives\n\n\n\n\n                                            20\n\x0cMAJOR CONTRIBUTORS TO THIS REPORT\n\nDavid L. Gandrud, Program Director, Information Technology Program Audits\nRoger W. Flann, Program Manager\nBarbara J. Smith, Program Assistant\n\n\n\n\n                                     21\n\x0c"